×
INTELLIGENT WORK FORUMS
FOR COMPUTER PROFESSIONALS

Contact US

Log In

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips Forums!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!

*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.

Students Click Here

I'm running a really old machine at home.....

I'm running a really old machine at home.....

I'm running a really old machine at home.....

(OP)
P120 under Windows 95 A.

I found out I have a virus.  When I try to go to Symantec or any other anti-virus site it kills my browser.  I went to the store yesterday to buy an anti virus software and I see that most of them will work under everything from XP down to 95 B.  Does this automatically exclude 95 A?  I'd really hate to have to take the old machine out and shoot it......it has served me faithfully and well.

Thanks.

PerryG

RE: I'm running a really old machine at home.....

You probably have a virus that prevents your using a web based virus site.
Suspect that you will see that there is a cleaning mechanism available under DOS even though the package is marked for later OSs. There has to be a way to clean something off that kills the OS loading from the hard drive.

Ed Fair
 efair@atlnet.com
 
Any advice I give is my best judgement based on my interpretation of the facts you supply.

Help increase my knowledge by providing some feedback, good or bad, on any advice I have given.

RE: I'm running a really old machine at home.....

I would go to www.us.sophos.com and try their trial software. This site usually isn't blocked. Once you have disinfected your system, you can try an AV (anti-virus) system you want.

I like Sophos, it supports many OS's that other AV's don't. Not cheap however.

James P. Cottingham

I am the Unknown lead by the Unknowing.
I have done so much with so little
for so long that I am now qualified
to do anything with nothing.

RE: I'm running a really old machine at home.....

(OP)
Many thanks, everyone.

PerryG

RE: I'm running a really old machine at home.....

What virus is it? Is it MTX? If you don't know then try a scan here: http://housecall.antivirus.com/

If you can't get there then download Startlog.com from the link below and run it. It'll create 2 files on your desktop. Open the Startlog file and copy and paste the contents here. It should show us what virus you have.

http://home.earthlink.net/~rmbox/Reticulated/Only_IE.html

RE: I'm running a really old machine at home.....

One method I have found that works quite well, although not for the faint of heart, is to go through the registry Run, RunServices, RunOnce and RunServicesOnce keys, WIN.INI, SYSTEM.INI and the startup group and remove all references to the virus program, then reboot into MS-DOS mode and delete the files.  One more reboot later and voila.

John

RE: I'm running a really old machine at home.....

(OP)
I ran the startlog.exe that was recommended by Kento.  Here is the results:

 StartUp Log for Windows 95/98 - Freeware by rmbox
__________________________________________________________________________
__________________________________________________________________________
  
 Comments:  
 
  This is a log of all the programs on your computer that
  are starting automatically every time you start Windows.
  Using this log can be a quick way to spot trojans.
 
  StartUp Log (version 1.53) - Release Date 8/19/2001  
  
__________________________________________________________________________
__________________________________________________________________________
  
                      StartUp Log Index
  
                       1. HKLM Run
                       2. HKCU Run
                       3. HKLM RunOnce
                       4. HKCU RunOnce
                       5. HKLM RunServices
                       6. HKLM RunServicesOnce
                       7. WIN.INI file
                       8. SYSTEM.INI file
                       9. AUTOEXEC.BAT file
                      10. StartUp folder
                      11. All Users StartUp
                      12. Misc. StartUp Configurations
 
__________________________________________________________________________
__________________________________________________________________________
 
       The following is a list of your current Start-Ups
__________________________________________________________________________
__________________________________________________________________________
 
  1. HKLM Run - Registry
 
     [RegPath]
     "StartUp"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SystemTray"="SysTray.Exe"
"SystemAgent"="C:\\WINDOWS\\SYSTEM\\SAGE.EXE"
"BrowserWebCheck"="loadwc.exe"
"SystemBackup"="C:\\WINDOWS\\MTX_.EXE"

 
==========================================================================
__________________________________________________________________________
 
  2. HKCU Run - Registry
 
     [RegPath]
     "StartUp"


[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"AIM"="C:\\PROGRAM FILES\\AIM95\\aim.exe -cnetwait.odl"

 
==========================================================================
__________________________________________________________________________
 
  3. HKLM RunOnce - Registry
 
     [RegPath]
     "StartUp"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

 
==========================================================================
__________________________________________________________________________
 
  4. HKCU RunOnce - Registry
 
     [RegPath]
     "StartUp"
 
 *(RegPath not found..)*  
 
==========================================================================
__________________________________________________________________________
 
  5. HKLM RunServices - Registry
 
     [RegPath]
     "StartUp"
 
 *(RegPath not found..)*  
 
==========================================================================
__________________________________________________________________________
 
  6. HKLM RunServicesOnce - Registry
 
     [RegPath]
     "StartUp"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

 
==========================================================================
__________________________________________________________________________
 
  7. WIN.INI File - (c:\windows\win.ini)
 
 Your win.ini run/load lines should look like run= and load= exclusively.
 There should be nothing to the right of the equal signs.
 
 
These are the run and load lines in your WIN.INI file

run=

load=
 
==========================================================================
__________________________________________________________________________
  
  8. SYSTEM.INI File - (c:\windows\system.ini)  
 
 Your system.ini shell line should look like shell=Explorer.exe exclusively.
 You should only see Explorer.exe following the equal sign.
  
 
This is the shell line in your SYSTEM.INI file

shell=Explorer.exe
 
==========================================================================
__________________________________________________________________________
  
  9. AUTOEXEC.BAT File - (c:\autoexec.bat)
 
 (Some trojans have been known to start from this file)
 
 
These are your program startups and set paths in your autoexec.bat file
 
 
==========================================================================
__________________________________________________________________________
 
 10. StartUp Folder - (c:\windows\start menu\programs\startup)  
 
 Shortcuts to any program will automatically start when placed here.
 
 
These are the shortcuts located in your StartUp folder
 
C:\WINDOWS\Start Menu\Programs\StartUp\Office Startup.lnk
C:\WINDOWS\Start Menu\Programs\StartUp\Microsoft Office Shortcut Bar.lnk
C:\WINDOWS\Start Menu\Programs\StartUp\Microsoft Find Fast.lnk
C:\WINDOWS\Start Menu\Programs\StartUp\Quicken Startup.lnk
C:\WINDOWS\Start Menu\Programs\StartUp\Billminder.lnk
 
==========================================================================
__________________________________________________________________________
 
 11. All Users Folder - (c:\windows\all users\start menu\programs\startup)  
 
 Shortcuts to any program will automatically start when placed here.
 
 
These are the shortcuts located in your All Users StartUp folder
 
 
 *(No start-ups found)*
 
==========================================================================
__________________________________________________________________________
 
  12. Miscellaneous StartUp Configurations
 
-============================-
 Registry StartUp Directories
-============================-
 
 Should show the Start Menu StartUp and All Users StartUp directories
 
.....................................................................
 
 [1] HKCU - Shell Folders
 
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

"Startup"="C:\\WINDOWS\\Start Menu\\Programs\\StartUp"
 
.....................................................................
 
 [2] HKCU - User Shell Folders
 
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders

 
.....................................................................
 
 [3] HKLM - Shell Folders
 
HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\Shell Folders
 *(RegPaths not found..)*
 
.....................................................................
 
 [4] HKLM - User Shell Folders
 
HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\User Shell Folders

 
.....................................................................
 
-=======================-
 Registry Shell Spawning
-=======================-
 
 Open Commands for Executable File Types

@="\"%1\" %*"
(.exe file - RegPath = HKCR\exefile\shell\open\command)

@="\"%1\" %*"
(.com file - RegPath = HKCR\comfile\shell\open\command)

@="\"%1\" /S"
(.scr file - RegPath = HKCR\scrfile\shell\open\command)

@="\"%1\" %*"
(.bat file - RegPath = HKCR\batfile\shell\open\command)

@="\"%1\" %*"
(.pif file - RegPath = HKCR\piffile\shell\open\command)
 
@= Open Command Not Found...
(.hta file - NoRegPath = HKCR\htafile\shell\open\command)
 
-=========================-
 HKLM RunOnceEx - Registry
-=========================-


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx]

 
-====================-
 StubPaths - Registry   (Partial Listing)
-====================-
 
 (Please see the StubPath.txt on your desktop for complete listing)
 
HKLM\Software\Microsoft\Active Setup\Installed Components


"StubPath"=""
"StubPath"="C:\\WINDOWS\\SYSTEM\\IE4UINIT.EXE"
-=====================-
 Screen Saver Settings  (Possible system.ini start-up)
-=====================-

SCRNSAVE.EXE=C:\WINDOWS\SETIHOME.SCR
 
==========================================================================
__________________________________________________________________________
 
 - Supplemental Environment Information -
 
TMP=C:\WINDOWS\TEMP
TEMP=C:\WINDOWS\TEMP
winbootdir=C:\WINDOWS
PATH=C:\WINDOWS;C:\WINDOWS\COMMAND
COMSPEC=C:\WINDOWS\COMMAND.COM
windir=C:\WINDOWS
 
File - c:\windows\Wininit.ini
 
==========================================================================
__________________________________________________________________________
 
                            - End -

Under item 1 in backup there is a file called MTX_.exe .............would this be the culprit?  If so, how do I exorcise the pesky little demon?

Thanks for everyone's help.

PerryG

RE: I'm running a really old machine at home.....

MTX_.EXE is indeed the MTX virus and it can be a nasty one. Did you install and run a scan with an antivirus program? See if this link will load. It has a repair tool you should try downloading and using.

http://securityresponse.symantec.com/avcenter/venc/data/w95.mtx.html

If you cannot get to that site, then the tool is also available at the following site:

http://www.digitalriver.com/symantec/virus

Here's all the info copied from that first link including manual removal instructions. But try the fix tool at the link above.

W95.MTX has a virus component and a worm component. It propagates by email. It also infects some Win32 executables in specific folders. The virus has the capability to block access to certain Web sites. This may prevent you from downloading new virus definitions.

Also Known As: W95.Oisdbo, W95.MTX.dr, W95.MTX (.dll), W32/Apology-B

Payload: Some infected files are corrupted beyond repair.
Modifies files: Windows executables
Distribution:

Subject of email: None
Name of attachment: Variable (see below)
Size of attachment: Variable
Time stamp of attachment: Immediately after a new email message is sent, a second message is sent with no subject and the worm attached.

Technical description:

Worm component

The worm component makes a copy of Wsock32.dll and names it Wsock32.mtx. The Send export function of this .mtx file is then modified to point to its own code. This allows the virus to mail a copy of the worm infected with this virus to the same person to whom the user sends an email message (using the same program).

Here is a list of file names that this virus might use when it sends the infected worm to other people. For those files with .pif extensions, the .pif extension might not be visible in your mail program.

I_wanna_see_you.txt.pif
Matrix_screen_saver.scr
Love_letter_for_you.txt.pif
New_playboy_screen_saver.scr
Bill_gates_piece.jpg.pif
Tiazinha.jpg.pif
Feiticeira_nua.jpg.pif
Geocities_free_sites.txt.pif
New_napster_site.txt.pif
Metallica_song.mp3.pif
Anti_cih.exe
Internet_security_forum.doc.pif
Alanis_screen_saver.scr
Reader_digest_letter.txt.pif
Win_$100_now.doc.pif
Is_linux_good_enough!.txt.pif
Qi_test.exe
Avp_updates.exe
Seicho_no_ie.exe
You_are_fat!.txt.pif
Free_xxx_sites.txt.pif
I_am_sorry.doc.pif
Me_nude.avi.pif
Sorry_about_yesterday.doc.pif
Protect_your_credit.html.pif
Jimi_hendrix.mp3.pif
Hanson.scr
F___ing_with_dogs.scr
Matrix_2_is_out.scr
Zipped_files.exe
Blink_182.mp3.pif

Wininit.ini is created by this component, which causes Wsock32.dll to be deleted and Wsock32.mtx to be renamed to Wsock32.dll. Wininit.ini executes after the computer is restarted. After Wininit.ini is created, this component runs the virus component.

NOTE: Norton AntiVirus will detect the Wininit.ini file that's created by W95.MTX as W95.MTX.INI.

Virus component
The virus component searches for specific antivirus programs running. If the virus finds one, the virus does not run. If the virus continues to run, it decompresses the worm component, drops a copy of it into the user's Windows directory (typically C:\Windows), and runs it. The name of this dropped file is Ie_pack.exe. After Ie_pack.exe is executed, it is renamed to Win32.dll.

The virus also drops Mtx_.Exe and runs it. This is a downloader program that goes to a specific Web site (i.am/[MATRIX]) where plug-ins for the virus are downloaded and executed. It searches for Win32 executables in the current directory, Windows directory, and the Temp directory. The file to be infected needs to have a size that is not divisible by 101, is greater than 8 KB in size, and has at least 20 import call instructions. If not, the file is not infected by the virus.

The virus also adds a registry entry that lets the downloader run automatically every time the system is started. The downloader is invisible in the Task List.

Removal instructions:

There are two ways to remove this virus:

Use the SARC W95.MTX Fix Tool.
Manually remove the virus.

In most cases, you should first try the W95.MTX Fix Tool.

Manual removal procedure

This is a complex and difficult virus to remove. It alters system files, and on some computers these files cannot be repaired. In some cases, after attempting to repair the virus, you cannot start Windows until you restore the essential system files from the original Windows installation CD.

NOTE: Because this virus can not only disable Windows and executable files, but can also block access to certain Web sites, including Symantec Web sites, in some cases you must perform any needed downloads on an uninfected computer.

This document assumes that you are familiar with basic Windows and DOS procedures. If you are not, then we suggest that you obtain the services of a qualified computer consultant.

CAUTIONS:
Windows 98 enables you to create a startup disk, which contains both system files and drivers that will work with most CD-ROM drives. Windows 95 does not. Before you start this procedure, it is strongly recommended that you create or obtain a Windows 98 Startup disk. This can be used to start a Windows 95 or a Windows 98 computer. If you do not create this disk first, and the first part of the removal procedure does not work on your computer, then you may not be able to restore some Windows files if this is needed.
This virus should be detected and removed by following the instructions that follow. The mere presence of files that begin with the letters "mtx" or have the .mtx extension is not an indication of infection. For example, the files mtxdm.dll, mtxoci.dll, twain*.mtx, and twunk*.mtx are all legitimate Windows program files.

NOTES:
Due to the nature of this virus, some files will not be repairable. The unrepairable files will need to be restored from clean backup copies, or from the original distribution disks.
To remove this threat you must carefully watch Norton AntiVirus (NAV) during the detection process. The files infected by the virus portion of W95.MTX should be detected as W95.MTX and W95.MTX (.dll). Any files that are detected as being infected with either W95.MTX or W95.MTX (.dll) should be repairable.
Files that are part of the Trojan and worm part of the infection should be detected as W95.MTX.dr. Any files detected as being infected with W95.MTX.dr must be removed.
It is important to make the distinction between the virus and the worm components, because the virus part of W95.MTX can infect Windows system files, and if you delete system files, then you might damage Windows.

To repair the damage done by this virus, follow the instructions in each section.
Create or obtain a Startup disk
Ensure that you have the most recent virus definitions
Restart the computer to a command prompt
Delete the infected files
Extract new copies of the Wsock32.dll, Explorer.exe, and Rundll32.exe files
Edit the registry

To create or obtain a Startup disk:

NOTE: You can skip this section if you are sure that the Windows installation files are located on the local hard drive, and that you can restart the computer in MS-DOS mode. Details on this are covered in the sections that follow.

Before you begin the removal process, you should create or obtain a Windows 98 Startup disk. If you are running Windows 95, then you may be able to obtain one from a local computer store. To create one on a Windows 98 computer, follow these steps:

CAUTION: This must be done on an uninfected computer. Do not do this on the computer that is infected with the virus.

1. Click Start, point to Settings, and click Control Panel.
2. Double-click Add/Remove Programs.
3. Click the Startup disk tab.
4. Place a new, formatted floppy disk in the floppy disk drive.
5. Click Create Disk, and then follow the prompts.

To ensure that you have the most recent virus definitions:

Norton AntiVirus must be installed, and you must have virus definitions dated September 5, 2000, or later. If your virus definitions are up-to-date, then go on to the next section. If they are not up-to-date, then you cannot run LiveUpdate or download the definitions from the SARC Web site. There are several ways to work around this:
If you have access to an uninfected computer, then download the most recent definitions from the SARC Web site, and then install the definition files on the infected computer. For instructions on how to do this, see the following documents:
How to update virus definition files using the Virus Definition Update Installer.
How to update virus definitions on computers without Internet or network connections
If you do not have access to a uninfected computer, then there are two ways to work around this:
Use the numeric Web address to get to the Symantec Web site. The numeric address is

208.226.167.17

For instructions on how to do this, see the document How to retrieve virus definition updates when the computer is infected with a virus that prevents you from connecting to Symantec Web sites.
Download the Virus Update Definition Installer from the Tucows Web site.
1. Point your browser to http://www.tucows.com.
2. In the Search Software Library box, type norton dat and then click GO!

NOTE: That is type norton and then a space, and then type dat

3. Locate the entry--it should be the first in the list--for the Platform: Windows 95/98, and then click Download Now.
4. Choose your region and your state or locality, and then click GO!
5. Click the download site nearest your location.
6. Download the file to a location on the hard drive, such as the Windows desktop.
7. When the download is finished, double-click the file that you downloaded to install it.
To restart the computer to a command prompt:

You must restart the computer to a command prompt. Follow the steps for your operating system:

Windows 95
1. Click Start, and click Shut Down. The Shut Down Windows dialog box appears.
2. Click Restart, and then click Yes. Windows shuts down, and the computer restarts.
3. When "Starting Windows 95..." appears on the screen, press F8. The Windows 95 Startup Menu appears.
4. Press the number corresponding to "Command Prompt only," and then press Enter.
Windows 98
1. Click Start, and click Shut Down. The Shut Down Windows dialog box appears.
2. Click Restart, and then click OK. Windows shuts down, and the computer restarts.
3. As the computer restarts, press and hold down the Ctrl key until the Windows 98 Startup Menu appears.

NOTE: On some computers, a keyboard or other error may appear during restart as you hold down the Ctrl key. If so, then follow the prompts to press a key to continue (for example, the message may prompt you to press the Esc key), then immediately press the Ctrl key again.

4. Press the number corresponding to "Command Prompt only," and then press Enter.

To delete the infected files:

Follow these steps to delete the infected files:

NOTE: These instructions assume that Windows is installed to the default of C:\Windows. If Windows installed to a different location, then substitute the appropriate folder.

1. Type each of the following commands, pressing Enter after each one:

cd \windows
set path=c:\windows\command
attrib -r -s -h *.*
del ie_pack.exe
del win32.dll
del mtx_.exe
del wininit.ini

NOTE: If you see "File not found" after entering any of the commands, then verify that the command was typed exactly as shown.

2. Type dir /s /b \navdx.exe and then press Enter. This displays the path to the Norton AntiVirus DOS scanner. If NAV is installed to a different drive, then change to the root of that drive first.
3. Change to the folder where Navdx.exe is installed.
4. Type one of the following commands, and then press Enter:

CAUTION: This could take several hours or more on some computers. Do not attempt to stop the scan once it has started.

NOTE: The DOS-based scanner can perform one of the following actions when it detects a virus:

To be prompted for any file that is detected as infected, type the following, and then press Enter:

navdx /a /doallfiles /prompt

You must press R)epair, D)elete, or C)ontinue for each infected file. If you choose this option, and NAV cannot repair an infected file, then you will see the message "Unable to repair the file" followed by the same three choices. In most cases you should then choose D)elete, unless you are sure that the file is not actually infected.

To delete any file that is detected as infected, type the following, and then press Enter:

navdx /a /doallfiles /delete

The disadvantage to this is that files that could be repaired will be deleted.

To repair any file that is detected as infected, type the following, and then press Enter:

navdx /a /doallfiles /repair

CAUTION: If NAV cannot repair a file and you choose this option, then the file will be skipped. This means that infected files will still be on your system. If you choose this option, then you must run Navdx again, this time using the /delete switch, as shown in the previous example.

5. When the scan is finished, proceed to the next section.

To extract new copies of the Wsock32.dll, Explorer.exe, and Rundll32.exe files:

This is necessary because these files have very likely been infected by the virus and are critical for accessing the Internet and using the computer. You need to use the Extract command at a DOS prompt to restore good copies of these files from the Windows installation files.

There are two locations from which these files can be extracted:
The Windows installation files on your hard drive. On many newer computers, the .cab files that contain the Windows installation files are stored on the computer's hard drive. If you are sure that this is the case, then see the section How to extract files that are located on the hard drive.
The Microsoft Windows 95/98 Installation CD. If you do not have the .cab files on the hard drive, then see the section How to extract files that are located on the installation CD.

CAUTION: If you are running Windows 95 or have upgraded the computer to Windows 98 from Windows 95, then read the following:
If you are running Windows 95, and you have installed Internet Explorer 4.0 or later at any time, then it is not likely that extracting the Explorer.exe file will work on your system. This is because the Internet Explore installation replaces Explorer.exe as well as other files, with later versions. Replacing only the Explorer.exe file from the .cab files will not work in most cases, as the older file will not work with the many other files that were also updated by the installation. If this is your situation, then you may have to reinstall Windows 95 completely, or update to Windows 98 or later.
If you have upgraded to Windows 98 from Windows 95, unless you are sure that the cabinet files on the hard drive are from Windows 98, you should extract the files from the installation CD and not from the files on the hard drive.

NOTES:
These instructions are provided for your convenience. The extraction of Windows files uses Microsoft programs and commands. Symantec does not provide warranty support for or assistance with Microsoft products. However, for your convenience, Symantec now provides fee-based technical support and assistance for a number of non-Symantec products, including products from Microsoft. Symantec Multivendor Support is available by calling (800) 745-6032. Otherwise, we suggest that you contact Microsoft for assistance with this problem.
There are numerous versions of the Windows installation CD available. Each of these may have the needed files in a different location within the .cab files. In the instructions that follow, while the command provided tells the extraction program to start in a specific location, the command also includes the "/a" switch. This command switch will cause the extract program to search recursively through all of the cabinet files that follow, in sequence, until it finds the indicated file. It will not search, however, for file that are in the previous .cabs. For example, the command for Windows 98, extract /a win98_40.cab explorer.exe /L c:\windows, will start with .cab 40, then search .cab 41, and so on. It will not search .cab 39 or previous .cab files.

The Windows 98 .cab files usually begin at 21 and typically end in the upper 70's (usually 74). We have the search begin with .cab 40 because, in most cases, these files are in .cab 44 or 45. This is done to speed up the search for these files. If you have a version of the Windows installation files that are different then the standard format, then you will have to adjust the command accordingly. For example, if you have Windows 98 and the command extract /a win98_40.cab explorer.exe /L c:\windows does not locate the explorer.exe file, and you are sure that you have entered it exactly as shown, try changing the number of the .cab file in which the search starts, for example, to extract /a win98_20.cab explorer.exe /L c:\windows

To extract files that are located on the hard drive:
1. Type dir /s /b \precopy1.cab and then press Enter: This displays the path to the Precopy1.cab file. If the file is not found, then it is likely that the .cab files are not on the hard drive. In which case you should skip to the section How to extract files that are located on the installation CD.
2. Change to the folder where the Precopy1.cab file is located.
3. What you do next depends on which operating system you are using:

NOTES:
If you see "File not found" after entering any of the commands, then verify that it was typed exactly as shown.
If you see a message prompting whether you want to overwrite a file, then press Y for Yes, and then press Enter.
If Windows is installed to a different location, then substitute the appropriate path.

CAUTION: You must be very careful when you type the destination of the file to be extracted, for example, C:\Windows. If you designate a destination folder that does not exist, then the extract command will create the new folder and extract the file to that folder without prompting you to confirm the creation. The result can be that the infected Windows system file is not overwritten.

If you are using Windows 98, then type the following commands, and press Enter after each one:

extract /a precopy1.cab wsock32.dll /L c:\windows\system
extract /a win98_40.cab explorer.exe /L c:\windows
extract /a win98_40.cab rundll32.exe /L c:\windows
If you are using Windows 95, then type the following commands, and press Enter after each one:

extract /a win95_10.cab wsock32.dll /L c:\windows\system
extract /a win95_10.cab explorer.exe /L c:\windows
extract /a win95_10.cab rundll32.exe /L c:\windows
If you do not see any error messages, then you are finished with the extraction process. Proceed to the section Edit the registry.

To extract files that are located on the installation CD:

NOTES:
The instructions that follow are for the most widely-distributed CD versions of Windows 95/98. There are, however, numerous versions, some of which were distributed on floppy disks. Each version may have the .cab files in a different location, or may have the files that you need to extract in a different .cab file. It is beyond the scope of this document to include instructions for every version.
If you do not have the Windows installation CD for which the following commands were written, then you may have to change the command to the correct path for your version. You will also have to locate the .cab file that contains the file that you need to extract. For additional information on this, see the document Which cabinet files contain the original Windows files?
A partial list of these locations for some versions of Windows is also available in the section Cab locations list at the end of this document.
1. Insert the Windows 98 Startup disk in the floppy disk drive.
2. Insert the Windows 98 Installation CD in the CD-ROM drive.
3. Turn off the computer, and then wait thirty seconds.
4. Turn on the computer. The computer starts to a startup menu.
5. The default menu item is Start Computer with CD-ROM Support. Do not change this, but instead press Enter.
6. Allow the computer to finish booting to a A:\> prompt. This could take a few minutes.
7. The next step is to change to the CD-ROM drive. Because you are using the Startup disk, the drive letter will be one letter greater than the drive letter that usually represents the CD-ROM drive. For example, if the CD-ROM drive is the D drive in Windows, it will be the E drive.

Type the following, changing the drive letter as necessary, and then press Enter:

e:\win98 (If the installation disk is for Windows 98)

or

e:\win95 (If the installation disk is for Windows 95)

If you see an error message, then try retyping the command with a different drive letter, for example, f:\win98

8. What you do next depends on which version of Windows you are running:

NOTES:
If you see "File not found" after entering any of the commands, then verify that it was typed exactly as shown.
If you see a message prompting whether you want to overwrite a file, then press Y for Yes, and then press Enter.
If Windows is installed to a different location, then substitute the appropriate path.

CAUTION: You must be very careful when you type the destination of the file to be extracted, for example, C:\Windows. If you designate a destination folder that does not exist, then the extract command will create the new folder and extract the file to that folder without prompting you to confirm the creation. The result can be that the infected Windows system file is not overwritten.

If you are running Windows 98, then type the following commands, and press Enter after each one:

extract /a precopy1.cab wsock32.dll /L c:\windows\system
extract /a win98_40.cab explorer.exe /L c:\windows
extract /a win98_40.cab rundll32.exe /L c:\windows
If you are running Windows 95, then type the following commands, and press Enter after each one:

extract /a win95_10.cab wsock32.dll /L c:\windows\system
extract /a win95_10.cab explorer.exe /L c:\windows
extract /a win95_10.cab rundll32.exe /L c:\windows

If you experience no error messages, then you are finished with the extraction process. Proceed to the next section.

To edit the registry:

Follow these steps to remove the entry that the virus added to the registry:

CAUTION: We strongly recommend that you back up the system registry before making any changes to it. Incorrect changes to the registry may result in permanent data loss or corrupted files. Please make sure that you modify only the keys specified. Please see the document How to back up the Windows registry before proceeding. This document is available from the Symantec Fax-on-Demand system. In the U.S. and Canada, call (541) 984-2490, select option 2, and then request document 927002.

1. Remove the floppy disk from the floppy disk drive.
2. If you extracted the files from the Installation CD, then remove the CD from the CD-ROM drive.
3. Turn off the computer, and then wait thirty seconds.
4. Turn on the computer, and allow Windows to start.

NOTE: It is normal at this point for error messages to appear. They will refer to the virus files with messages, such as "Windows cannot find...." Ignore these messages. They are the result of the remaining entries in the Windows registry that you will remove next. They do not indicate that the computer is still infected.

5. Click Start, and then click Run. The Run dialog box appears.
6. Type regedit and then click OK. The Registry Editor opens.
7. Navigate to and select the following subkey:

HKey_Local_Machine\Software\[Matrix]

8. Press Delete, and then click Yes to confirm.
9. Navigate to and select the following subkey:

HKey_Local_Machine\Software\Microsoft\Windows\CurrentVersion\Run

10. Delete the following value in the right pane:

SystemBackup C:\WINDOWS\MTX_.EXE

11. Click Yes to confirm.
12. In the left pane, click the My Computer key.
13. Click the Edit menu, and then click Find.
14. In the Find what box, type mtx and then click Find Next.
15. What you do next depends on whether any entries are found.
If no entries are found that contain the string mtx, then proceed to the next step.
If any entries are found that refer to Mtx_.exe, then you should delete them. Because this is a string search, it could find entries for legitimate programs that happen to contain this string. Make sure that the references is to Mtx_.exe before you delete it. To continue the search if an entry is found, press F3. Keep doing this until no more entries are found.
16. Perform another find operation, but this time search for [MATRIX]. Delete any entries that are found.
17. Click the Registry menu, and then click Exit to save the changes and close the Registry Editor.
18. Restart the computer.





Red Flag This Post

Please let us know here why this post is inappropriate. Reasons such as off-topic, duplicates, flames, illegal, vulgar, or students posting their homework.

Red Flag Submitted

Thank you for helping keep Tek-Tips Forums free from inappropriate posts.
The Tek-Tips staff will check this out and take appropriate action.

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members! Already a Member? Login

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close